[openstack-dev] VMs can't access outside world..

Barrow Kwan barrowkwan at yahoo.com
Fri Mar 1 06:24:11 UTC 2013


Hi,
 I posted this on the General Discussions but didn't get any answer. I also 
found someone post similar issue back on Dec but didn't get an answer neither 
 So I hope someone from the Dev side can help.

I installed Folsom on CentOS6.3.  It has 2 NIC ( the server has 4 but I only use 
two and disable the other two ).  I used Quantum + LinuxBridge.  VM provisioning 
is fine and it got an ip address.  I assigned floatingIP and create security ( 
allow icmp and ssh ).  I can SSH to the VM from outside through the floatingIP. 
 However, when I am inside the VM, I can't access anything outside of the VM or 
my openstack infrastructure.  Here is the information I can provide



OS - CentOS6.3 ( single node - everything are running there , eg cinder, nova, 
compute, glance.... )
Openstack Folsom
Quantum - LinuxBridge
Single node with two NIC ( em1 and em 3.  They are on different VLAN on the 
physical switch ).



/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296





/etc/sysconfig/modules/openstack-quantum-linuxbridge.modules
#!/bin/sh
modprobe -b bridge >/dev/null 2>&1
exit 0




/etc/sysconfig/network-scripts/ifcfg-em1
DEVICE="em1"
BOOTPROTO="static"
DNS1="10.99.99.1"
GATEWAY="10.38.0.254"
IPADDR="10.38.15.251"
IPV6INIT="no"
MTU="1500"
NETMASK="255.255.0.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"




/etc/sysconfig/network-scripts/ifcfg-em3
DEVICE="em3"
BOOTPROTO="none"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"




/etc/nova/nova.conf
[DEFAULT]
logdir = /var/log/nova
state_path = /var/lib/nova
lock_path = /var/lib/nova/tmp
volumes_dir = /etc/nova/volumes
dhcpbridge = /usr/bin/nova-dhcpbridge
dhcpbridge_flagfile = /etc/nova/nova.conf
force_dhcp_release = True
injected_network_template = /usr/share/nova/interfaces.template
libvirt_nonblocking = True
libvirt_inject_partition = -1
network_manager = nova.network.manager.FlatDHCPManager
iscsi_helper = tgtadm
sql_connection = mysql://nova:nova@localhost/nova
compute_driver = libvirt.LibvirtDriver
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
rpc_backend = nova.openstack.common.rpc.impl_qpid
rootwrap_config = /etc/nova/rootwrap.conf
flat_interface = em3
public_interface = em1
auth_strategy = keystone
qpid_hostname =opst01
glance_api_servers = optst01:9292
glance_host = opst01
volume_api_class = nova.volume.cinder.API
enabled_apis = ec2,osapi_compute,metadata
network_api_class = nova.network.quantumv2.api.API
quantum_admin_username = quantum
quantum_admin_password = quantum
#quantum_admin_auth_url = http://localhost:5000/v2.0/
quantum_admin_auth_url = http://localhost:35357/v2.0/
quantum_auth_strategy = keystone
quantum_admin_tenant_name = service
quantum_url = http://opst01:9696/
libvirt_vif_driver = nova.virt.libvirt.vif.QuantumLinuxBridgeVIFDriver
[keystone_authtoken]
admin_token = 111111111111111





/etc/quantum/l3_agent.ini
[DEFAULT]
debug = True
interface_driver = quantum.agent.linux.interface.BridgeInterfaceDriver
admin_token = 111111111111111
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf
external_network_bridge = 
use_namespaces = False
router_id = 1a8fd530-56d2-4192-b3fe-1f77651cbf41





/etc/quantum/plugin.ini
[VLANS]
tenant_network_type = vlan
network_vlan_ranges = physnet1,physnet2:100:199
[DATABASE]
sql_connection = mysql://quantum:quantum@optst01/quantum_linux_bridge
reconnect_interval = 2
[LINUX_BRIDGE]
physical_interface = em1,em3
physical_interface_mappings = physnet1:em1,physnet2:em3
[AGENT]
polling_interval = 2
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf





[root at opst01 quantum]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.151.0   0.0.0.0         255.255.255.0   U     0      0        0 
ns-b21309cd-11
192.168.151.0   0.0.0.0         255.255.255.0   U     0      0        0 
qr-ec728fdd-44
10.38.17.0      0.0.0.0         255.255.255.0   U     0      0        0 
qg-28179e3d-dc
10.38.0.0       0.0.0.0         255.255.0.0     U     0      0        0 
brq6b600334-9f
169.254.0.0     0.0.0.0         255.255.0.0     U     1004   0        0 em3
0.0.0.0         10.38.0.254     0.0.0.0         UG    100    0        0 
brq6b600334-9f





[root at optst01 quantum]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    nova-compute-PREROUTING  all  --  0.0.0.0/0            0.0.0.0/0           
2    quantum-l3-agent-PREROUTING  all  --  0.0.0.0/0            0.0.0.0/0       
    
3    nova-api-PREROUTING  all  --  0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    nova-compute-POSTROUTING  all  --  0.0.0.0/0            0.0.0.0/0         
  
2    quantum-l3-agent-POSTROUTING  all  --  0.0.0.0/0            0.0.0.0/0       
    
3    quantum-postrouting-bottom  all  --  0.0.0.0/0            0.0.0.0/0         
  
4    nova-api-POSTROUTING  all  --  0.0.0.0/0            0.0.0.0/0           
5    nova-postrouting-bottom  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    nova-compute-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           
2    quantum-l3-agent-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           
3    nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-OUTPUT (1 references)
num  target     prot opt source               destination         

Chain nova-api-POSTROUTING (1 references)
num  target     prot opt source               destination         

Chain nova-api-PREROUTING (1 references)
num  target     prot opt source               destination         

Chain nova-api-float-snat (1 references)
num  target     prot opt source               destination         

Chain nova-api-snat (1 references)
num  target     prot opt source               destination         
1    nova-api-float-snat  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-compute-OUTPUT (1 references)
num  target     prot opt source               destination         

Chain nova-compute-POSTROUTING (1 references)
num  target     prot opt source               destination         

Chain nova-compute-PREROUTING (1 references)
num  target     prot opt source               destination         

Chain nova-compute-float-snat (1 references)
num  target     prot opt source               destination         

Chain nova-compute-snat (1 references)
num  target     prot opt source               destination         
1    nova-compute-float-snat  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-postrouting-bottom (1 references)
num  target     prot opt source               destination         
1    nova-compute-snat  all  --  0.0.0.0/0            0.0.0.0/0           
2    nova-api-snat  all  --  0.0.0.0/0            0.0.0.0/0           

Chain quantum-l3-agent-OUTPUT (1 references)
num  target     prot opt source               destination         

Chain quantum-l3-agent-POSTROUTING (1 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           ! ctstate 
DNAT 

Chain quantum-l3-agent-PREROUTING (1 references)
num  target     prot opt source               destination         

Chain quantum-l3-agent-float-snat (1 references)
num  target     prot opt source               destination         

Chain quantum-l3-agent-snat (1 references)
num  target     prot opt source               destination         
1    quantum-l3-agent-float-snat  all  --  0.0.0.0/0            0.0.0.0/0       
    
2    SNAT       all  --  192.168.151.0/24     0.0.0.0/0           to:10.38.17.1 

Chain quantum-postrouting-bottom (1 references)
num  target     prot opt source               destination         
1    quantum-l3-agent-snat  all  --  0.0.0.0/0            0.0.0.0/0           

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    nova-compute-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
2    quantum-l3-agent-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
3    nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
2    nova-compute-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
3    quantum-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
4    quantum-l3-agent-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0         
  
5    nova-api-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
2    nova-compute-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           
3    quantum-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
4    quantum-l3-agent-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           
5    nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-FORWARD (1 references)
num  target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            10.38.15.251        tcp dpt:8775 

Chain nova-api-OUTPUT (1 references)
num  target     prot opt source               destination         

Chain nova-api-local (1 references)
num  target     prot opt source               destination         

Chain nova-compute-FORWARD (1 references)
num  target     prot opt source               destination         

Chain nova-compute-INPUT (1 references)
num  target     prot opt source               destination         

Chain nova-compute-OUTPUT (1 references)
num  target     prot opt source               destination         

Chain nova-compute-inst-20 (1 references)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED 
3    nova-compute-provider  all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     udp  --  192.168.151.2        0.0.0.0/0           udp spt:67 
dpt:68 
5    ACCEPT     all  --  192.168.151.0/24     0.0.0.0/0           
6    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
7    ACCEPT     icmp --  192.168.151.3        0.0.0.0/0           
8    ACCEPT     icmp --  192.168.151.4        0.0.0.0/0           
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
10   nova-compute-sg-fallback  all  --  0.0.0.0/0            0.0.0.0/0         
  

Chain nova-compute-inst-21 (1 references)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED 
3    nova-compute-provider  all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     udp  --  192.168.151.2        0.0.0.0/0           udp spt:67 
dpt:68 
5    ACCEPT     all  --  192.168.151.0/24     0.0.0.0/0           
6    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
7    ACCEPT     icmp --  192.168.151.3        0.0.0.0/0           
8    ACCEPT     icmp --  192.168.151.4        0.0.0.0/0           
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
10   nova-compute-sg-fallback  all  --  0.0.0.0/0            0.0.0.0/0         
  

Chain nova-compute-local (1 references)
num  target     prot opt source               destination         
1    nova-compute-inst-20  all  --  0.0.0.0/0            192.168.151.3       
2    nova-compute-inst-21  all  --  0.0.0.0/0            192.168.151.4       

Chain nova-compute-provider (2 references)
num  target     prot opt source               destination         

Chain nova-compute-sg-fallback (2 references)
num  target     prot opt source               destination         
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-filter-top (2 references)
num  target     prot opt source               destination         
1    nova-compute-local  all  --  0.0.0.0/0            0.0.0.0/0           
2    nova-api-local  all  --  0.0.0.0/0            0.0.0.0/0           

Chain quantum-filter-top (2 references)
num  target     prot opt source               destination         
1    quantum-l3-agent-local  all  --  0.0.0.0/0            0.0.0.0/0           

Chain quantum-l3-agent-FORWARD (1 references)
num  target     prot opt source               destination         

Chain quantum-l3-agent-INPUT (1 references)
num  target     prot opt source               destination         

Chain quantum-l3-agent-OUTPUT (1 references)
num  target     prot opt source               destination         

Chain quantum-l3-agent-local (1 references)
num  target     prot opt source               destination         




More information about the OpenStack-dev mailing list